General

  • Target

    e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5.exe

  • Size

    3.1MB

  • Sample

    241118-pdfnsswhjn

  • MD5

    8a86375d4afaad3b3784efe30144a978

  • SHA1

    20b26de7d75461d01d01bb025c67bff370301655

  • SHA256

    e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5

  • SHA512

    126979671be90d7712e340f4c70aff968c7570a3abdb794a8f964c81f3830a2da9f0d5755dd9a0c84435232381b835deef74b67775fc2a6c1a789ad398ff53d5

  • SSDEEP

    49152:7v/lL26AaNeWgPhlmVqvMQ7XSKd74wvMfY8oGdahZTHHB72eh2NTh:7vNL26AaNeWgPhlmVqkQ7XSKd74wIz

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

C2

anonam39-41248.portmap.io:41248

Mutex

bcabad1b-b1a9-478b-a187-3607b6476fd1

Attributes
  • encryption_key

    479AF86B7B3A0AC9CE19AAE974A681BB6EE1949C

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    RuntimeBroker

  • subdirectory

    a7

Targets

    • Target

      e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5.exe

    • Size

      3.1MB

    • MD5

      8a86375d4afaad3b3784efe30144a978

    • SHA1

      20b26de7d75461d01d01bb025c67bff370301655

    • SHA256

      e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5

    • SHA512

      126979671be90d7712e340f4c70aff968c7570a3abdb794a8f964c81f3830a2da9f0d5755dd9a0c84435232381b835deef74b67775fc2a6c1a789ad398ff53d5

    • SSDEEP

      49152:7v/lL26AaNeWgPhlmVqvMQ7XSKd74wvMfY8oGdahZTHHB72eh2NTh:7vNL26AaNeWgPhlmVqkQ7XSKd74wIz

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks